Gurulandia/Homelab
1
0
Fork 0
Code Pull Requests Actions Wiki Activity

Jemmaan

Browse Source
This commit is contained in:
Gurulandia
2026-03-01 12:27:13 +02:00
parent 72bc66ff82
commit 745899e96c
4 changed files with 736 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
config/docker/2022/misc/gl-docker-compose.yml Normal file
View File

@@ -0,0 +1,281 @@
version: "3.7"
########################### NETWORKS
# There is no need to create any networks outside this docker-compose file.
# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
# Docker Compose version 3.5 or higher required to define networks this way.
networks:
gl_proxy:
name: gl_proxy
driver: bridge
ipam:
config:
- subnet: $GL_PROXY_SUBNET
gateway: $GL_PROXY_GATEWAY
default:
driver: bridge
gl_socket_proxy:
name: gl_socket_proxy
driver: bridge
ipam:
config:
- subnet: $GL_SOCKET_PROXY_SUBNET
gateway: $GL_SOCKET_PROXY_GATEWAY
########################### SECRETS
secrets:
htpasswd:
file: $SECRETSDIR/htpasswd
cloudflare_email:
file: $SECRETSDIR/cloudflare_email
cloudflare_api_key:
file: $SECRETSDIR/cloudflare_api_key
cloudflare_api_token:
file: $SECRETSDIR/secrets/cloudflare_api_token
authelia_jwt_secret:
file: $SECRETSDIR/authelia_jwt_secret
authelia_session_secret:
file: $SECRETSDIR/authelia_session_secret
authelia_storage_mysql_password:
file: $SECRETSDIR/authelia_storage_mysql_password
authelia_storage_encryption_key:
file: $SECRETSDIR/authelia_storage_encryption_key
authelia_ldap_password:
file: $SECRETSDIR/authelia_ldap_password
# authelia_notifier_smtp_password:
# file: $DOCKERDIR/secrets/authelia_notifier_smtp_password
# authelia_duo_api_secret_key:
# file: $DOCKERDIR/secrets/authelia_duo_api_secret_key
########################### SERVICES
services:
# Traefik 2 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $DOCKERDIR/traefik2/acme/acme.json
# chmod 600 $DOCKERDIR/traefik2/acme/acme.json
# touch $DOCKERDIR/traefik2/traefik.log
traefik:
container_name: gl-traefik
image: traefik:latest
#image: traefik:livarot # picodon v2.3.x # chevrotin v2.2.x
restart: always
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
#- --entrypoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IP_RANGES
- --entryPoints.traefik.address=:8080
# - --entryPoints.ping.address=:8081
- --api=true
# - --api.insecure=true
- --api.dashboard=true
#- --ping=true
#- --pilot.token=$TRAEFIK_PILOT_TOKEN
- --serversTransport.insecureSkipVerify=true
#- --log=true
#- --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
#- --accessLog=true
#- --accessLog.filePath=/traefik.log
#- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
#- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=$DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security
# Automatically set Host rule for services
# - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
- --providers.docker.exposedByDefault=false
# - --entrypoints.https.http.middlewares=chain-oauth@file
- --entrypoints.https.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.https.http.tls.certresolver=$CERTRESOLVER
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0
- --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain
- --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain
- --providers.docker.network=gl_proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.$CERTRESOLVER.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=$DNS_PROVIDER
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=$RESOLVER0 #,$RESOLVER1
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
networks:
gl_proxy:
ipv4_address: $TRAEFIK_IP0 # You can specify a static IP
gl_socket_proxy:
ipv4_address: $TRAEFIK_IP1
security_opt:
- no-new-privileges:true
#healthcheck:
# test: ["CMD", "traefik", "healthcheck", "--ping"]
# interval: 5s
# retries: 3
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
# - target: 8080
# published: 8080
# protocol: tcp
# mode: host
volumes:
- $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory
- $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
#- $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
- HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere.
secrets:
- cloudflare_email
- cloudflare_api_key
- htpasswd
labels:
#- "autoheal=true"
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`proxy.local.$DOMAINNAME0`)"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
## Healthcheck/ping
#- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME0`) && Path(`/ping`)"
#- "traefik.http.routers.ping.tls=true"
#- "traefik.http.routers.ping.service=ping@internal"
## Middlewares
#- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file"
- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
# Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
socket-proxy:
container_name: gl-socket-proxy
image: tecnativa/docker-socket-proxy
restart: always
networks:
gl_socket_proxy:
ipv4_address: $SOCKET_PROXY_IP # You can specify a static IP
privileged: true
#ports:
# - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line.
# I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network.
# - "2375:2375"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
# 0 to revoke access.
# 1 to grant access.
## Granted by Default
- EVENTS=1
- PING=1
- VERSION=1
## Revoked by Default
# Security critical
- AUTH=0
- SECRETS=0
- POST=1 # Ouroboros
# Not always needed
- BUILD=0
- COMMIT=0
- CONFIGS=0
- CONTAINERS=1 # Traefik, portainer, etc.
- DISTRIBUTION=0
- EXEC=1
- IMAGES=1 # Portainer
- INFO=1 # Portainer
- NETWORKS=1 # Portainer
- NODES=0
- PLUGINS=0
- SERVICES=1 # Portainer
- SESSION=0
- SWARM=0
- SYSTEM=0
- TASKS=1 # Portaienr
- VOLUMES=1 # Portainer
# Portainer - WebUI for Containers
portainer:
container_name: gl-portainer
image: portainer/portainer-ce:latest
restart: unless-stopped
command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security
networks:
gl_proxy:
ipv4_address: $PORTAINER_IP0
gl_socket_proxy:
ipv4_address: $PORTAINER_IP1
security_opt:
- no-new-privileges:true
# ports:
# - "9000:9000"
volumes:
- $DOCKERDIR/appdata/portainer:/data # Change to local directory if you want to save/transfer config locally
environment:
- TZ=$TZ
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.portainer-rtr.entrypoints=https"
- "traefik.http.routers.portainer-rtr.rule=Host(`portainer.local.$DOMAINNAME0`)"
## Middlewares
#- "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file"
- "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file"
## HTTP Services
- "traefik.http.routers.portainer-rtr.service=portainer-svc"
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
# Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication
authelia:
container_name: gl-authelia
# Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md
image: authelia/authelia:latest
restart: always
networks:
gl_proxy:
ipv4_address: $AUTHELIA_IP # You can specify a static IP
default:
# ports:
# - "9091:9091"
volumes:
- $DOCKERDIR/appdata/authelia:/config
environment:
- TZ=$TZ
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
- AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password
- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key
- AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/authelia_ldap_password
# - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
# - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
secrets:
- authelia_jwt_secret
- authelia_session_secret
- authelia_storage_mysql_password
- authelia_storage_encryption_key
# - authelia_notifier_smtp_password
# - authelia_duo_api_secret_key
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.authelia-rtr.entrypoints=https"
- "traefik.http.routers.authelia-rtr.rule=Host(`auth.local.$DOMAINNAME0`)"
- "traefik.http.routers.authelia-rtr.tls=true"
## Middlewares
- "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file"
#chain-authelia@file"
## HTTP Services
- "traefik.http.routers.authelia-rtr.service=authelia-svc"
- "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"

287
config/docker/2022/misc/gl-docker-compose_2022.yml Normal file
View File

@@ -0,0 +1,287 @@
version: "3.7"
########################### NETWORKS
# There is no need to create any networks outside this docker-compose file.
# You may customize the network subnets (192.168.90.0/24 and 91.0/24) below as you please.
# Docker Compose version 3.5 or higher required to define networks this way.
networks:
proxy:
name: proxy
driver: bridge
ipam:
config:
- subnet: $PROXY_SUBNET
gateway: $PROXY_GATEWAY
default:
driver: bridge
socket_proxy:
name: socket_proxy
driver: bridge
ipam:
config:
- subnet: $SOCKET_PROXY_SUBNET
gateway: $SOCKET_PROXY_GATEWAY
########################### SECRETS
secrets:
htpasswd:
file: $SECRETSDIR/htpasswd
cloudflare_email:
file: $SECRETSDIR/cloudflare_email
cloudflare_api_key:
file: $SECRETSDIR/cloudflare_api_key
cloudflare_api_token:
file: $SECRETSDIR/secrets/cloudflare_api_token
authelia_jwt_secret:
file: $SECRETSDIR/authelia_jwt_secret
authelia_session_secret:
file: $SECRETSDIR/authelia_session_secret
authelia_ldap_password:
file: $SECRETSDIR/authelia_ldap_password
authelia_storage_encryption_key:
file: $SECRETSDIR/authelia_storage_encryption_key
# authelia_storage_mysql_password:
# file: $DOCKERDIR/secrets/authelia_storage_mysql_password
# authelia_notifier_smtp_password:
# file: $DOCKERDIR/secrets/authelia_notifier_smtp_password
# authelia_duo_api_secret_key:
# file: $DOCKERDIR/secrets/authelia_duo_api_secret_key
########################### SERVICES
services:
# Traefik 2 - Reverse Proxy
# Touch (create empty files) traefik.log and acme/acme.json. Set acme.json permissions to 600.
# touch $DOCKERDIR/traefik2/acme/acme.json
# chmod 600 $DOCKERDIR/traefik2/acme/acme.json
# touch $DOCKERDIR/traefik2/traefik.log
traefik:
container_name: traefik
image: traefik:latest
#image: traefik:livarot # picodon v2.3.x # chevrotin v2.2.x
restart: always
command: # CLI arguments
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
#- --entrypoints.https.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
- --entrypoints.https.forwardedHeaders.trustedIPs=$CLOUDFLARE_IP_RANGES
- --entryPoints.traefik.address=:8080
# - --entryPoints.ping.address=:8081
- --api=true
# - --api.insecure=true
- --api.dashboard=true
#- --ping=true
#- --pilot.token=$TRAEFIK_PILOT_TOKEN
- --serversTransport.insecureSkipVerify=true
#- --log=true
#- --log.level=WARN # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
#- --accessLog=true
#- --accessLog.filePath=/traefik.log
#- --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
#- --accessLog.filters.statusCodes=400-499
- --providers.docker=true
- --providers.docker.endpoint=$DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security
# Automatically set Host rule for services
# - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME0`)
- --providers.docker.exposedByDefault=false
# - --entrypoints.https.http.middlewares=chain-oauth@file
- --entrypoints.https.http.tls.options=tls-opts@file
# Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services
- --entrypoints.https.http.tls.certresolver=$CERTRESOLVER
- --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME0
- --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME0
- --entrypoints.https.http.tls.domains[1].main=$DOMAINNAME1 # Pulls main cert for second domain
- --entrypoints.https.http.tls.domains[1].sans=*.$DOMAINNAME1 # Pulls wildcard cert for second domain
- --providers.docker.network=proxy
- --providers.docker.swarmMode=false
- --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory
# - --providers.file.filename=/path/to/file # Load dynamic configuration from a file
- --providers.file.watch=true # Only works on top level files in the rules folder
# - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
- --certificatesResolvers.$CERTRESOLVER.acme.email=$CLOUDFLARE_EMAIL
- --certificatesResolvers.$CERTRESOLVER.acme.storage=/acme.json
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.provider=$DNS_PROVIDER
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.resolvers=$RESOLVER0 #,$RESOLVER1
- --certificatesResolvers.$CERTRESOLVER.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
networks:
proxy:
ipv4_address: $TRAEFIK_IP0 # You can specify a static IP
socket_proxy:
ipv4_address: $TRAEFIK_IP1
security_opt:
- no-new-privileges:true
#healthcheck:
# test: ["CMD", "traefik", "healthcheck", "--ping"]
# interval: 5s
# retries: 3
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
volumes:
- $DOCKERDIR/appdata/traefik2/rules:/rules # file provider directory
- $DOCKERDIR/appdata/traefik2/acme/acme.json:/acme.json # cert location - you must touch this file and change permissions to 600
#- $DOCKERDIR/appdata/traefik2/traefik.log:/traefik.log # for fail2ban - make sure to touch file before starting container
- $DOCKERDIR/shared:/shared
environment:
- CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
- CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
- HTPASSWD_FILE=/run/secrets/htpasswd # HTPASSWD_FILE can be whatever as it is not used/called anywhere.
secrets:
- cloudflare_email
- cloudflare_api_key
- htpasswd
labels:
#- "autoheal=true"
- "traefik.enable=true"
# HTTP-to-HTTPS Redirect
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
# HTTP Routers
- "traefik.http.routers.traefik-rtr.entrypoints=https"
- "traefik.http.routers.traefik-rtr.rule=Host(`proxy.local.$DOMAINNAME0`)"
## Services - API
- "traefik.http.routers.traefik-rtr.service=api@internal"
## Healthcheck/ping
#- "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME0`) && Path(`/ping`)"
#- "traefik.http.routers.ping.tls=true"
#- "traefik.http.routers.ping.service=ping@internal"
## Middlewares
#- "traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file"
- "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file"
# Docker Socket Proxy - Security Enchanced Proxy for Docker Socket
socket-proxy:
container_name: socket-proxy
image: tecnativa/docker-socket-proxy
restart: always
networks:
socket_proxy:
ipv4_address: $SOCKET_PROXY_IP # You can specify a static IP
privileged: true
#ports:
# - "127.0.0.1:2375:2375" # Port 2375 should only ever get exposed to the internal network. When possible use this line.
# I use the next line instead, as I want portainer to manage multiple docker endpoints within my home network.
# - "2375:2375"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
environment:
- LOG_LEVEL=info # debug,info,notice,warning,err,crit,alert,emerg
## Variables match the URL prefix (i.e. AUTH blocks access to /auth/* parts of the API, etc.).
# 0 to revoke access.
# 1 to grant access.
## Granted by Default
- EVENTS=1
- PING=1
- VERSION=1
## Revoked by Default
# Security critical
- AUTH=0
- SECRETS=0
- POST=1 # Ouroboros
# Not always needed
- BUILD=0
- COMMIT=0
- CONFIGS=0
- CONTAINERS=1 # Traefik, portainer, etc.
- DISTRIBUTION=0
- EXEC=1
- IMAGES=1 # Portainer
- INFO=1 # Portainer
- NETWORKS=1 # Portainer
- NODES=0
- PLUGINS=0
- SERVICES=1 # Portainer
- SESSION=0
- SWARM=0
- SYSTEM=0
- TASKS=1 # Portaienr
- VOLUMES=1 # Portainer
# Portainer - WebUI for Containers
portainer:
container_name: portainer
image: portainer/portainer-ce:latest
restart: unless-stopped
command: -H $DOCKER_ENDPOINT # Use Docker Socket Proxy instead for improved security
networks:
proxy:
ipv4_address: $PORTAINER_IP0
socket_proxy:
ipv4_address: $PORTAINER_IP1
security_opt:
- no-new-privileges:true
volumes:
- $DOCKERDIR/appdata/portainer:/data # Change to local directory if you want to save/transfer config locally
environment:
- TZ=$TZ
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.portainer-rtr.entrypoints=https"
- "traefik.http.routers.portainer-rtr.rule=Host(`portainer.local.$DOMAINNAME0`)"
## Middlewares
- "traefik.http.routers.portainer-rtr.middlewares=chain-authelia@file"
#- "traefik.http.routers.portainer-rtr.middlewares=chain-no-auth@file"
## HTTP Services
- "traefik.http.routers.portainer-rtr.service=portainer-svc"
- "traefik.http.services.portainer-svc.loadbalancer.server.port=9000"
# Authelia (Lite) - Self-Hosted Single Sign-On and Two-Factor Authentication
authelia:
container_name: authelia
# Check this before upgrading: https://github.com/authelia/authelia/blob/master/BREAKING.md
image: authelia/authelia:latest
restart: always
networks:
proxy:
ipv4_address: $AUTHELIA_IP # You can specify a static IP
#default:
# ports:
# - "9091:9091"
volumes:
- $DOCKERDIR/appdata/authelia:/config
environment:
- TZ=$TZ
- AUTHELIA_JWT_SECRET_FILE=/run/secrets/authelia_jwt_secret
- AUTHELIA_SESSION_SECRET_FILE=/run/secrets/authelia_session_secret
- AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/run/secrets/authelia_storage_encryption_key
- AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/run/secrets/authelia_ldap_password
# - AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/run/secrets/authelia_storage_mysql_password
# - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/run/secrets/authelia_notifier_smtp_password
# - AUTHELIA_DUO_API_SECRET_KEY_FILE=/run/secrets/authelia_duo_api_secret_key
# - AUTHELIA_TLS_KEY_FILE
# - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
# - AUTHELIA_SESSION_REDIS_PASSWORD_FILE
# - AUTHELIA_REDIS_HIGH_AVAILABILITY_SENTINEL_PASSWORD_FILE
# - AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
# - AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
secrets:
- authelia_jwt_secret
- authelia_session_secret
- authelia_storage_encryption_key
- authelia_ldap_password
# - authelia_storage_mysql_password
# - authelia_notifier_smtp_password
# - authelia_duo_api_secret_key
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.authelia-rtr.entrypoints=https"
- "traefik.http.routers.authelia-rtr.rule=Host(`auth.local.$DOMAINNAME0`)"
- "traefik.http.routers.authelia-rtr.tls=true"
## Middlewares
- "traefik.http.routers.authelia-rtr.middlewares=chain-no-auth@file"
#chain-authelia@file"
## HTTP Services
- "traefik.http.routers.authelia-rtr.service=authelia-svc"
- "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"

85
config/docker/2022/misc/gl.env Normal file
View File

@@ -0,0 +1,85 @@
##### SYSTEM
PUID=1000
PGID=1000
TZ=Europe/Helsinki
USERDIR=/home/gurulandia
DOCKERDIR=/gurulandia/data/docker
SECRETSDIR=/gurulandia/data/docker/secrets
DOCKER_ENDPOINT=tcp://socket-proxy:2375
##### SUBNETS
PROXY_SUBNET=192.168.91.0/24
SOCKET_PROXY_SUBNET=192.168.92.0/24
##### GATEWAYS
PROXY_GATEWAY=192.168.91.1
SOCKET_PROXY_GATEWAY=192.168.92.1
##### IP ADDRESSES
SOCKET_PROXY_IP=192.168.92.254
TRAEFIK_PROXY_IP=192.168.91.254
TRAEFIK_SOCKET_PROXY_IP=192.168.92.252
PORTAINER_PROXY_IP=192.168.91.253
PORTAINER_SOCKET_PROXY_IP=192.168.92.253
AUTHELIA_IP=192.168.91.252
HEIMDALL_IP=192.168.91.2
VSCODE_IP=192.168.91.3
YOURLS_IP=192.168.91.4
LIBRESPEED_IP=192.168.91.5
ADMINER_IP=192.168.91.6
DOZZLE_IP0=192.168.91.7
GLANCES_IP0=192.168.91.8
CLOUDDNS_IP=192.168.91.9
CERTDUMPER_IP=192.168.91.10
DOZZLE_IP1=192.168.92.7
GLANCES_IP1=192.168.92.8
#SERVER_IP=
#PIHOLE_IP=
#LOCAL_NETWORK=
##### PORTS
LIBRESPEED_PORT=30001
##### DOMAIN
DOMAINNAME0=gurulandia.eu
DOMAINNAME1=local.gurulandia.eu
CLOUDFLARE_EMAIL=gurulandia@outlook.com
CLOUDFLARE_IP_RANGES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14
##### DUCKDNS
DUCKDNSDOMAIN0=gurulandia.duckdns.org
DUCKDNS_TOKEN=99636f9f-46d7-4d80-b171-6ae486d1bc7b
##### Certificate
CERTRESOLVER=dns-cloudflare
DNS_PROVIDER=cloudflare
RESOLVER0=1.1.1.1:53
RESOLVER1=1.0.0.1:53
##### DATABASE
DB_HOST=192.168.99.60
DB_PORT=3306
MYSQL_ROOT_PASSWORD=
VSCODE_PASSWORD=glvscode
EMAIL=gurulandia@outlook.com
GUAC_MYSQL_USER=guacamole
GUAC_MYSQL_PASSWORD=guacamole

83
config/docker/2022/misc/gl_1.env Normal file
View File

@@ -0,0 +1,83 @@
##### SYSTEM
PUID=1000
PGID=1000
TZ=Europe/HelsinkI
USERDIR=/home/gurulandia
DOCKERDIR=/gurulandia/data/docker
SECRETSDIR=/gurulandia/data/docker/secrets
DOCKER_ENDPOINT=tcp://gl-socket-proxy:2375
##### SUBNETS
GL_PROXY_SUBNET=192.168.91.0/24
GL_SOCKET_PROXY_SUBNET=192.168.92.0/24
##### GATEWAYS
GL_PROXY_GATEWAY=192.168.91.1
GL_SOCKET_PROXY_GATEWAY=192.168.92.1
##### IP ADDRESSES
HEIMDALL_IP=192.168.91.2
VSCODE_IP=192.168.91.3
YOURLS_IP=192.168.91.4
LIBRESPEED_IP=192.168.91.5
ADMINER_IP=192.168.91.6
DOZZLE_IP0=192.168.91.7
GLANCES_IP0=192.168.91.8
CLOUDDNS_IP=192.168.91.9
CERTDUMPER_IP=192.168.91.10
AUTHELIA_IP=192.168.91.252
PORTAINER_IP0=192.168.91.253
TRAEFIK_IP0=192.168.91.254
DOZZLE_IP1=192.168.92.7
GLANCES_IP1=192.168.92.8
TRAEFIK_IP1=192.168.92.252
PORTAINER_IP1=192.168.92.253
SOCKET_PROXY_IP=192.168.92.254
#SERVER_IP=
#PIHOLE_IP=
#LOCAL_NETWORK=
##### PORTS
VSCODE_PORT=8443
LIBRESPEED_PORT=30001
##### DOMAIN
DOMAINNAME0=gurulandia.eu
DOMAINNAME1=local.gurulandia.eu
CLOUDFLARE_EMAIL=gurulandia@outlook.com
CLOUDFLARE_IP_RANGES=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,172.64.0.0/13,131.0.72.0/22,104.16.0.0/13,104.24.0.0/14
##### DUCKDNS
DUCKDNSDOMAIN0=gurulandia.duckdns.org
DUCKDNS_TOKEN=99636f9f-46d7-4d80-b171-6ae486d1bc7b
##### Certificate
CERTRESOLVER=dns-cloudflare
DNS_PROVIDER=cloudflare
RESOLVER0=1.1.1.1:53
RESOLVER1=1.0.0.1:53
##### DATABASE
DB_HOST=192.168.99.60
DB_PORT=3306
MYSQL_ROOT_PASSWORD=
VSCODE_PASSWORD=glvscode
EMAIL=gurulandia@outlook.com
GUAC_MYSQL_USER=guacamole
GUAC_MYSQL_PASSWORD=guacamole